06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 1

Prevent DoS using IP source address spoofing

MATSUZAKI ‘maz’ Yoshinobu

<maz@iij.ad.jp>

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 2

ip spoofing

creation of IP packets　 with source addresses other than those assigned to that host

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 3

Malicious uses with IP spoofing

• impersonation– session hijack or reset

• hiding– flooding attack

• reflection– ip reflected attack

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 4

impersonation

senderip spoofed packet

victim

partner

dst: victim

src: partner

Oh, my partner sent me a packet. I’ll proc

ess this.

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 5

hiding

sender

victim

ip spoofed packetdst: victim

src: random

Oops, many packets are coming. But, who

is the real source?

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 6

reflection

sender

ip spoofed packet

repl

y pa

cket

victim

reflector

src: victimdst: reflector

dst:

vict

im

src:

refle

ctor

Oops, a lot of replies without any re

quest…

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 7

ip reflected attacks

• smurf attacks– icmp echo (ping)– ip spoofing(reflection)– amplification(multiple replies)

• dns amplification attacks– dns query– ip spoofing(reflection)– amplification(bigger reply/multiple replies)

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 8

amplification

Sender

Sender

1. multiple replies

2. bigger reply

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 9

attacker

ip reflected attacks

ip spoofed packets

repl

ies

victim

openamplifier

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 10

smurf attack

ip spoofedping

ICMP echo replies

victim

Attacker

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 11

dns amplification attack

ip spoofedDNS queries

DNS replies

victim

DNSAttacker

DNS

DNSDNS

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 12

relations – dns amp attack

DNSDNS DNS

victim

Command&Control

DNS

DNS

stub-resolvers full-resolvers

root-servers

tld-servers

example-servers

botnet

IP spoofedDNS queries

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 13

attacker

solutions for ip reflected attacks

ip spoofed packets

repl

ies

victim

openamplifier

preventip spoofing

disableopen amplifiers

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 14

two solutions

• disable ‘open amplifier’– disable ‘directed-broadcast’– disable ‘open recursive DNS server’

• contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer.

• prevent ip spoofing!!– source address validation– BCP38 & BCP84

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 15

Source Address Validation

• Check the source ip address of ip packets – filter invalid source address– filter close to the packets orign as possible– filter precisely as possible

• If no networks allow ip spoofing, we can eliminate these kinds of attacks

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 16

close to the origin

• we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation

10.0.0.0/23

10.0.3.0/24

You arespoofing!

Hmm, this looks ok...but..

RT.a RT.b

You are spoofing!You are

spoofing!

srcip: 10.0.0.1

srcip: 0.0.0.0

srcip: 10.0.0.1

srcip: 0.0.0.0

×

××

srcip: 0.0.0.0×

You are spoofing!

srcip: 10.0.0.1×

You arespoofing!

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 17

how to configure the checking

• ACL– packet filter– permit valid-source, then drop any

• uRPF check– check incoming packets using ‘routing table’– look-up the return path for the source ip addre

ss– loose mode can’t stop ip reflected attacks

• use strict mode or feasible mode

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 18

cisco ACL example

customer network 192.168.0.0/24

ip access-list extended fromCUSTMER permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any!interface Gigabitethernet0/0 ip access-group fromCUSTOMER in!

point-to-point10.0.0.0/30

ISP Edge Router

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 19

juniper ACL example

customer network 192.168.0.0/24

firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } }}[edit interface ge-0/0/0 unit 0 family inet]filter { input fromCUSTOMER;}

point-to-point10.0.0.0/30

ISP Edge Router

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 20

cisco uRPF example

customer network 192.168.0.0/24

interface Gigabitethernet0/0 ip verify unicast source reachable-via rx

point-to-point10.0.0.0/30

ISP Edge Router

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 21

juniper uRPF example

customer network 192.168.0.0/24

[edit interface ge-0/0/0 unit 0 family inet]rpf-check;

point-to-point10.0.0.0/30

ISP Edge Router

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 22

IIJ’s policy

peer ISP upstream ISP

customer ISP

multi homedstatic customer

single homedstatic customer

IIJ/AS2497

uRPF strict mode

uRPF loose mode

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 23

ACL and uRPF

• ACL– deterministic

• statically configured

– maintenance of access-list

• uRPF– easy to configure – care about asymmetric routing

• strict mode is working well only for symmetric routing• loose mode can’t stop the ip reflected attack• there is no good implementation of feasible mode

06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 24

END